VeriSign Hack Ominous for Corporate, Government Risk

As details of the hacking of VeriSign unfold, questions emerge and government entities and corporations of all sizes are becoming more aware of their own vulnerabilities, according to a technology expert.

That VeriSign, seen as the Fort Knox of security for .com, .net and .gov web addresses, doesn’t seem to be aware of the extent of the hacking is a major concern.

The VeriSign attacks were revealed in a quarterly U.S. Securities and Exchange Commission filing in October, following new guidelines on reporting security breaches to investors. According to Reuters, which reviewed more than 2,000 documents that mentioned breach risks since the SEC guidance was published, VeriSign’s disclosure stood out.

“The main concern is that we all want to know that we’re dealing with—the websites that we think we’re dealing with,” explains Matthew Norris, global head of technology, media and telecommunications for Hiscox, located inLondon.

He tells NU Online News Service that “unfortunately, a hack like this could mean that people can pretend to be Amazon, say,” by erecting a spoof website.

Norris explains, “The most fascinating thing about this is that all the other certification authorities that got hacked, no one had really heard of. And [those companies] really didn’t have much money to spend on good security.”

On the other hand, he says, VeriSign was the most trusted party on the Internet, trusted by the U.S. government and huge organizations. “Their security is amazing,” he adds. “They are really well funded, their business is security, they’ve been around for ages and so if they’ve had a problem, it makes you think the old truth is true: It’s not so much what you do, it’s how determined the person is to cause your problem.”

Norris says there are two reasons the company might have been hacked: one is because the security of the company is so good that the hacker might have been driven to embarrass them. The other is that someone is trying to steal the information and misuse it.

“If that was true, and it’s unclear how far they got, then they must have really good resources, because normally the target is the path of least resistance—VeriSign is not the path of least resistance,” he observes. “This is not far off from Fort Knox, really.”

While the details are not yet clear, he says the second reason “seems very tempting, bearing in mind how many certification authorities have been targeted in the last year, to think that they were after the ability to issue their own certificates—to pretend to be Amazon.”

The most unnerving aspect, he says, is that the SEC’s disclosure system didn’t work. First of all, he says, it was disclosed too late, about a year after the hack. And secondly, the disclosure requirements do not give enough detail. “Even if it had been timely, everyone is scratching their head, there is just so little detail that has emerged.”

The broadest implication, Norris says, is “Even if you think your security is brilliant, it’s probably not as good as VeriSign, so the pressure to keep improving your security remains immense.”

He advises that organizations that need to send important content should encrypt the information. “Because even if you send encrypted data to someone who’s not the right person, they will struggle to make sense of the message.”